Bug 986302 (CVE-2013-3495) - CVE-2013-3495 hw: virt: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
Summary: CVE-2013-3495 hw: virt: Intel VT-d Interrupt Remapping engines can be evaded ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-3495
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 986303
TreeView+ depends on / blocked
 
Reported: 2013-07-19 11:24 UTC by Petr Matousek
Modified: 2023-05-11 23:47 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-24 13:37:04 UTC
Embargoed:


Attachments (Terms of Use)

Description Petr Matousek 2013-07-19 11:24:12 UTC
Malformed MSIs are transactions to the special address range that
do not have proper attributes of MSI requests. Such malformed transactions are detected and aborted by the platform, before they are subject to further interrupt remapping/processing. For RAS purposes, some platforms may be configured to support System Error Reporting (SERR) capability. These platforms raise a PCI system error (SERR#) due to Unsupported Request, which are typically delivered as Non-Maskable Interrupts (NMI), to report such errors to software. Depending on hypervisor and Dom0 kernel configuration, such an NMI may be handled by the hypervisor/Dom0 or can result in a host software halt ("panic"). On platforms with SERR enabled, such malformed MSI requests can be generated by guest OS with an assigned device, causing hypervisor/Dom0 receive NMI despite using VT-d and interrupt remapping for device assignment.

A malicious domain, given access to a device which bus mastering capable, can
mount a denial of service attack affecting the whole system.

Only systems using Intel VT-d for PCI passthrough and enabled SERR are vulnerable.

This issue can be avoided by not assigning PCI devices to untrusted guests.

References:

http://seclists.org/oss-sec/2013/q3/421

Acknowledgements:

Red Hat would like to thank the Xen and KVM upstreams for reporting this issue. Xen upstream acknowledged Gábor PÉK of CrySyS Lab as the original reporter

Comment 1 Petr Matousek 2013-07-19 11:27:45 UTC
Statement:

This is hardware issue related to Intel VT-d, affecting all hypervisors (such as Xen and KVM) using Intel VT-d for guest PCI passthrough.


Note You need to log in before you can comment on or make changes to this bug.